CI_Input Class Reference

List of all members.

Public Member Functions

 CI_Input ()
 _sanitize_globals ()
 _clean_input_data ($str)
 _clean_input_keys ($str)
 _fetch_from_array (&$array, $index= '', $xss_clean=FALSE)
 get ($index= '', $xss_clean=FALSE)
 post ($index= '', $xss_clean=FALSE)
 get_post ($index= '', $xss_clean=FALSE)
 cookie ($index= '', $xss_clean=FALSE)
 server ($index= '', $xss_clean=FALSE)
 ip_address ()
 valid_ip ($ip)
 user_agent ()
 filename_security ($str)
 xss_clean ($str, $is_image=FALSE)
 xss_hash ()
 _remove_invisible_characters ($str)
 _compact_exploded_words ($matches)
 _sanitize_naughty_html ($matches)
 _js_link_removal ($match)
 _js_img_removal ($match)
 _convert_attribute ($match)
 _html_entity_decode_callback ($match)
 _html_entity_decode ($str, $charset='UTF-8')
 _filter_attributes ($str)

Public Attributes

 $use_xss_clean = FALSE
 $xss_hash = ''
 $ip_address = FALSE
 $user_agent = FALSE
 $allow_get_array = FALSE
 $never_allowed_str
 $never_allowed_regex

Member Function Documentation

CI_Input::_clean_input_data ( str  ) 

Clean Input Data

This is a helper function. It escapes data and standardizes newline characters to

private

Parameters:
string 
Returns:
string

CI_Input::_clean_input_keys ( str  ) 

Clean Keys

This is a helper function. To prevent malicious users from trying to exploit keys we make sure that keys are only named with alpha-numeric text and a few other items.

private

Parameters:
string 
Returns:
string

CI_Input::_compact_exploded_words ( matches  ) 

Compact Exploded Words

Callback function for xss_clean() to remove whitespace from things like j a v a s c r i p t

public

Parameters:
type 
Returns:
type

CI_Input::_convert_attribute ( match  ) 

Attribute Conversion

Used as a callback for XSS Clean

public

Parameters:
array 
Returns:
string

CI_Input::_fetch_from_array ( &$  array,
index = '',
xss_clean = FALSE 
)

Fetch from array

This is a helper function to retrieve values from global arrays

private

Parameters:
array 
string 
bool 
Returns:
string

CI_Input::_filter_attributes ( str  ) 

Filter Attributes

Filters tag attributes for consistency and safety

public

Parameters:
string 
Returns:
string

CI_Input::_html_entity_decode ( str,
charset = 'UTF-8' 
)

HTML Entities Decode

This function is a replacement for html_entity_decode()

In some versions of PHP the native function does not work when UTF-8 is the specified character set, so this gives us a work-around. More info here: http://bugs.php.net/bug.php?id=25670

private

Parameters:
string 
string 
Returns:
string

CI_Input::_html_entity_decode_callback ( match  ) 

HTML Entity Decode Callback

Used as a callback for XSS Clean

public

Parameters:
array 
Returns:
string

CI_Input::_js_img_removal ( match  ) 

JS Image Removal

Callback function for xss_clean() to sanitize image tags This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on image tag heavy strings

private

Parameters:
array 
Returns:
string

CI_Input::_js_link_removal ( match  ) 

JS Link Removal

Callback function for xss_clean() to sanitize links This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on link-heavy strings

private

Parameters:
array 
Returns:
string

CI_Input::_remove_invisible_characters ( str  ) 

Remove Invisible Characters

This prevents sandwiching null characters between ascii characters, like Java.

public

Parameters:
string 
Returns:
string

CI_Input::_sanitize_globals (  ) 

Sanitize Globals

This function does the following:

Unsets $_GET data (if query strings are not enabled)

Unsets all globals if register_globals is enabled

Standardizes newline characters to

private

Returns:
void

CI_Input::_sanitize_naughty_html ( matches  ) 

Sanitize Naughty HTML

Callback function for xss_clean() to remove naughty HTML elements

private

Parameters:
array 
Returns:
string

CI_Input::CI_Input (  ) 

Constructor

Sets whether to globally enable the XSS processing and whether to allow the $_GET array

public

CI_Input::cookie ( index = '',
xss_clean = FALSE 
)

Fetch an item from the COOKIE array

public

Parameters:
string 
bool 
Returns:
string

CI_Input::filename_security ( str  ) 

Filename Security

public

Parameters:
string 
Returns:
string

CI_Input::get ( index = '',
xss_clean = FALSE 
)

Fetch an item from the GET array

public

Parameters:
string 
bool 
Returns:
string

CI_Input::get_post ( index = '',
xss_clean = FALSE 
)

Fetch an item from either the GET array or the POST

public

Parameters:
string The index key
bool XSS cleaning
Returns:
string

CI_Input::ip_address (  ) 

Fetch the IP Address

public

Returns:
string

CI_Input::post ( index = '',
xss_clean = FALSE 
)

Fetch an item from the POST array

public

Parameters:
string 
bool 
Returns:
string

CI_Input::server ( index = '',
xss_clean = FALSE 
)

Fetch an item from the SERVER array

public

Parameters:
string 
bool 
Returns:
string

CI_Input::user_agent (  ) 

User Agent

public

Returns:
string

CI_Input::valid_ip ( ip  ) 

Validate IP Address

Updated version suggested by Geert De Deckere

public

Parameters:
string 
Returns:
string

CI_Input::xss_clean ( str,
is_image = FALSE 
)

XSS Clean

Sanitizes data so that Cross Site Scripting Hacks can be prevented. This function does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter.

Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.

This function was based in part on some code and ideas I got from Bitflux: http://blog.bitflux.ch/wiki/XSS_Prevention

To help develop this script I used this great list of vulnerabilities along with a few other hacks I've harvested from examining vulnerabilities in other programs: http://ha.ckers.org/xss.html

public

Parameters:
string 
Returns:
string

CI_Input::xss_hash (  ) 

Random Hash for protecting URLs

public

Returns:
string

Member Data Documentation

CI_Input::$allow_get_array = FALSE

CI_Input::$ip_address = FALSE

CI_Input::$never_allowed_regex

Initial value:

 array(
                                                                                "javascript\s*:"        => '[removed]',
                                                                                "expression\s*\("       => '[removed]', // CSS and IE
                                                                                "Redirect\s+302"        => '[removed]'
                                                                        )

CI_Input::$never_allowed_str

Initial value:

 array(
                                                                        'document.cookie'       => '[removed]',
                                                                        'document.write'        => '[removed]',
                                                                        '.parentNode'           => '[removed]',
                                                                        '.innerHTML'            => '[removed]',
                                                                        'window.location'       => '[removed]',
                                                                        '-moz-binding'          => '[removed]',
                                                                        '<!--'                          => '&lt;!--',
                                                                        '-->'                           => '--&gt;',
                                                                        '<![CDATA['                     => '&lt;![CDATA['
                                                                        )

CI_Input::$use_xss_clean = FALSE

CI_Input::$user_agent = FALSE

CI_Input::$xss_hash = ''

The documentation for this class was generated from the following file:
Generated on Sun Nov 16 16:09:16 2008 for CodeIgniter by  doxygen 1.5.7.1